1

The http2 rfc http://httpwg.org/specs/rfc7540.html says:

All HTTP/2 requests MUST include exactly one valid value for the :method, :scheme, and :path pseudo-header fields

(Note it doesn’t include authority)

for push promise:

The server MUST include a value in the :authority pseudo-header field for which the server is authoritative

My question is, for server push promise request frames, does the server need to always include the authority pseudo header OR if it decides to include it then it must be an authority the server is authoritative for?

lf215
  • 1,185
  • 7
  • 41
  • 83
  • The first one is about requests and the second one is about responses, no? – Ry- Dec 23 '17 at 04:16
  • The four pseudo header fields mentioned here are only defined as request pseudo header fields. There is only one response pseudo header field defined - ‘status’ – lf215 Dec 23 '17 at 04:32

1 Answers1

2

I think that the :authority header must always be included in PUSH_PROMISE frames, for the reason that a client may use the same connection for different host names, if the certificates and the IP addresses resolve accordingly.

By adding the authority frame the client will have a precise match between the resource being pushed and the resources that it will need to retrieve.

Without the :authority header, a client may assume a pushed resource is https://example.com/background.png, but later find in the HTML downloaded from example.com that the resource is instead https://images.example.com/background.png; because the URIs don't match, the client would issue a request for that resource rather than using the pushed resource.

Other than this explanation, you could try to emit a PUSH_PROMISE without :authority and see how the various browsers behave: sometimes the implementation behavior is then used to strengthen the specification.

sbordet
  • 16,856
  • 1
  • 50
  • 45